SANS NewsBites

Congress Looks into Resiliency of the Power Grid; Top 30 Exploited Vulnerabilities Need to be Patched; NSA Publishes Wireless Device Security Info

July 30, 2021  |  Volume XXIII - Issue #59

Top of the News


2021-07-29

Congressional Hearing on Grid Security

On Tuesday, July 27, the US House Subcommittee on National Security held a hearing focused on the security of country’s electric grid. Federal officials testifying at the hearing expressed concerns, including inadequate security features in grid equipment and the power grid’s resilience to withstand multiple major incidents, and made suggestions to improve security, including greater domestic production of grid equipment.

Editor's Note

Most of the cybersecurity related issues are nothing new here – the new focus is really on supply chain security. The telling quote: “Large power transformers are only manufactured abroad…” and can take up to a year to be procured and delivered. The pandemic pointed out in a big way that while “just in time inventory” approaches reduce cost/increase profit, natural or political disruptions to transportation and delivery can lead to severe and prolonged outages. Mandatory backup capacity or increased availability of domestic sources raises costs but also raises resiliency and availability.

John Pescatore
John Pescatore

Looking beyond the security of the components that operate the grid, leverage new collaboration opportunities to collaborate with CISA and peers to facilitate not only getting help when there is a problem, but also how to best implement pending standards, and possibly drive input in their creation. Irrespective of who your supplier is, foreign or domestic, evaluate their ability to deliver components needed to restore or augment your services. Include their supply chain challenges in the analysis.

Lee Neely
Lee Neely

The risk associated with long lead times for grid components, to specifically include some large transformers, has been identified since the Clinton Administration. It has not decreased.

William Hugh Murray
William Hugh Murray

2021-07-29

Joint Advisory Enumerates 30 Most Exploited Vulnerabilities of 2020

A joint cybersecurity advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) lists the top 30 routinely exploited CVEs in 2020.

Editor's Note

This advisory yet again highlights vulnerabilities in perimeter security devices. Over the last couple of years, attackers have realized the poor code quality affecting not just home and small business appliances, but enterprise appliances as well. Your best defense is to limit your attack surface and disable as many features as possible. Do not expose any administrative web applications outside a tightly controlled administrative network.

Johannes Ullrich
Johannes Ullrich

Use this information to refine your risk based approach to vulnerability mitigations. Where you have products susceptible to these vulnerabilities, review the mitigations and IOCs to make sure that you have a comprehensive fix as well as being equipped to detect attempted or actual exploitation. Next, include your development team in reviewing the Mitre 2021 CWE top 25 most dangerous software weaknesses.

Lee Neely
Lee Neely

It has been very obvious that IT operations (who in most organizations is responsible for patching servers and PCs) have been consumed with just keeping the applications and services running as the pandemic drove the need to support full time work from home and caused workforce and support disruptions. Time to patch has increased. Security mitigations must take that into account – increasing visibility, asset inventory (essentially Implementation Group 1 of the CIS Critical Security controls) but also putting shielding and/or segmentation around vulnerable systems that are just going to take longer to patch. When hurricanes are hitting every few days, you have to leave the plywood up over the windows – hoping the windows get stronger does not increase safety.

John Pescatore
John Pescatore

To ensure that patching gets necessary attention and resources, effective patching should be both measured and reported to stake holders.

William Hugh Murray
William Hugh Murray

2021-07-29

NSA Guidance on Wireless Device Security

The US National Security Agency (NSA) has published wireless device security guidance for people traveling or working remotely. The cybersecurity information sheet “describes how to identify potentially vulnerable connections and protect common wireless technologies, and lists steps users can take to help secure their devices and data.”

Editor's Note

Just a week ago, Apple patched the SSID Format String flaw that in some cases could lead to arbitrary remote execution when joining a malicious WiFi network. It comes back down to reducing your attack surface again: Turn off radios you are not using. This can be challenging for a mobile device that isn't doing much without network connection and a Bluetooth connection for headsets.

Johannes Ullrich
Johannes Ullrich

This does a good job explaining the risks as well as a providing tables of Do’s and Don’ts you should incorporate into your UAT program. This is not just Wi-Fi, this is also about Bluetooth, NFC, and mitigations which are easy to take and raise the bar on the security of those services. Don’t forget to remind users that even with these mitigations, the area being used to perform work still needs to be appropriate, beware of who can see and hear your screen, conversation and any paper notes or documents in use.

Lee Neely
Lee Neely

Wireless attacks do not scale well; the risk has always been from the wired side. While still vulnerable, and perhaps only for the moment, cellular is safer than WiFi (except in Washington DC). Devices that connect directly to the public networks should not also connect to the enterprise network. Business travelers should practice good hygiene.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-07-29

Biden Memorandum on Critical Infrastructure Cybersecurity

President Joe Biden has issued a national security memorandum focused on improving critical infrastructure control system cybersecurity. The memo directs the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop benchmarks for entities that manage the country’s critical infrastructure.

Editor's Note

Not much new here, but more reports coming. Similar to the Congressional hearing item, the technical and policy issues around critical infrastructure are well known, the supply chain disruption issue and lack of resiliency is the area where prioritized actions are needed.

John Pescatore
John Pescatore

Most of the critical infrastructure is managed by the private sector, not government. The two most important components of the nation's infrastructure are power and finance. One of those is doing a much better job of security than the other.

William Hugh Murray
William Hugh Murray

2021-07-27

FBI Official Tells Legislators Not to Ban Ransomware Payments

FBI Cyber Division assistant director Bryan Vorndran told US legislators that while the agency does not recommend that ransomware victims pay operators’ demands, banning ransomware payments could backfire. Vorndran told the Senate Judiciary Committee that banning payments could place “ U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities.”

Editor's Note

This is a complex topic and has to be considered carefully. If you do elect to make a payment, understand how you’re impacted by the Office of Foreign Assets Control (OFAC) in addition to local or national legislation. Build relationships needed for reporting and response of a ransomware attack now. Leverage references like the StopRansomware.gov web site to get a leg up on preparedness.

Lee Neely
Lee Neely

2021-07-29

Iranian Railway Cyberattack Used New Wiper Malware

Earlier this month, a cyberattack disrupted train service in Iran. The attack that affected the country’s state-owned rail system and its transportation ministry website used wiper malware that had not been seen before. Researchers from SentinelOne write that the cyberattack was “orchestrated via a set of batch files nested alongside their respective components and chained together in successive execution.”

Editor's Note

Read the report from SentinelOne to see how this new malware works. The report includes links to IoCs and YARA rules you can implement to aid detection and hunting activities. This wiper is designed to completely cripple a target’s systems, and includes functions ranging from changing passwords, disabling screen savers and altering boot records to creating processes and executing commands, reinforcing the need for those indicators.

Lee Neely
Lee Neely

The current hostile environment requires that enterprises may have to recover whole networks, rather than simply a file or two. Ensure the capability to recover entire applications in hours to days.

William Hugh Murray
William Hugh Murray

2021-07-29

WordPress Download Manager Updated to Fix Vulnerabilities

Developers of the WordPress Download Manager plugin have released an update to address two security issues: an information disclosure vulnerability and a file upload vulnerability. The WordPress Download Manager plugin is installed on more than 100,000 sites.

Editor's Note

The patch was released on May 5th, less than 24 hours after the developers were notified of the flaw. If you are using the WordPress Download Manager plugin, make sure you’re using version 3.1.25 or later. The file upload weakness could be used to upload executable content to perform a site takeover, while the information disclosure weakness allowed for a path traversal exploit to allow viewing of arbitrary or sensitive files. E.g, wp-config.php. Make sure you are either updated or remove this plugin if not actively used.

Lee Neely
Lee Neely

Does it bear repeating that WordPress plugins should never be included by default but only after careful consideration and must be carefully managed?

William Hugh Murray
William Hugh Murray

2021-07-29

ATM Jackpotting Arrests in Poland

Law enforcement authorities in Poland have arrested two people from Belarus for their alleged roles in an ATM jackpotting scheme. The suspects allegedly targeted ATMs in at least seven European countries; all the targeted machines were the same brand and model.

Editor's Note

The investigation leveraged the EMPACT framework and included authorities from Poland, Germany, Austria, Switzerland, Czech Republic and Slovakia. The attacks required physical access to the ATMs and necessitated drilling holes or melting parts to access the connection used by the laptop to compromise the ATM. As sexy as it sounds to jackpot an ATM, remember they not only have tamper detection but also surveillance making it unlikely your actions would go undetected.

Lee Neely
Lee Neely

Intuitively one might conclude that these attacks constitute a significant risk. However, they do not scale well, require physical access, and result in limited losses (thousands to low tens of thousands of dollars per ATM.) Cash just isn't what it used to be.

William Hugh Murray
William Hugh Murray

2021-07-28

Prison for PHI Thief

A US district judge in Texas has sentenced Amanda Lowry to 30 months in prison for her role in a scheme to steal protected health information (PHI). In December 2020, Lowry pleaded guilty conspiracy to obtain information from a protected computer. Lowry and two co-conspirators were indicted in September 2019.


2021-07-29

UC San Diego Health Discloses Data Breach

University of California San Diego Health says that a phishing attack led to the exposure of employee, student, and patient information. Attackers has access to the data between December 2, 2020 and April 8, 2021. The compromised information includes lab results, medical diagnoses, and other sensitive data.

Editor's Note

Notifications to impacted individuals will not be sent until the investigation is complete and will offer one year of credit monitoring and identity theft protection through Experian IdentityWorks. Actions are already underway to prevent recurrence including updating credentials and disabling access points. If you are a UC San Diego Heath employee, student or patient, monitor your accounts and credit report for unexpected activity, or, if you don’t already have it, seek out your own identity and credit protection solution.

Lee Neely
Lee Neely

A single user clicking on bait should not compromise the enterprise. Browsing and e-mail are the applications where users are most likely to encounter bait. These should be isolated from mission critical applications.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Malicious Content Delivered Through archive.org

https://isc.sans.edu/forums/diary/Malicious+Content+Delivered+Through+archiveorg/27688/


A Sextortion E-Mail From ... IT Support?!

https://isc.sans.edu/forums/diary/A+sextortion+email+fromIT+support/27682/


Details about CVE-2021-30807. (Patch released Monday, July 26, for MacOS/iOS)

https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/


Zimbra 8.8.15 XSS and SSRF Vulnerability

https://blog.sonarsource.com/zimbra-webmail-compromise-via-email


LockBit Ransomware Uses Group Policies

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-automates-windows-domain-encryption-via-group-policies/


A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

https://arxiv.org/abs/2107.12699


Microsoft Extending SafeLinks to Teams

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/microsoft-teams-gets-more-phishing-protection/ba-p/2585559


AV-Test Compares Android Anti-Virus Software

https://www.av-test.org/en/news/15-security-apps-for-android-in-an-endurance-test/


Oscorp evolves into UBEL: Advanced Android Malware

https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution


QOMPLX Reboots Punkspider

https://www.globenewswire.com/da/news-release/2021/07/20/2265860/0/en/QOMPLX-Reboots-Punkspider.html


AFRINIC IPv4 Address Heist

https://lists.afrinic.net/pipermail/community-discuss/2021-July/004122.html


Crimea "manifesto" deploys VBA Rat using double attack vectors

https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/